VMware vCenter Server Out-of-Bounds Write Vulnerability

Summary

CVE	CVE-2023-34048
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-10-25 18:17:00 UTC
Updated	2023-10-31 15:18:00 UTC
Description	vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

Risk And Classification

EPSS: 0.932130000 probability, percentile 0.998000000 (date 2026-04-12)

CISA KEV: Listed on 2024-01-22; due 2024-02-12; ransomware use Unknown

Problem Types: CWE-787

CISA Known Exploited Vulnerability

Vendor	VMware
Product	vCenter Server
Name	VMware vCenter Server Out-of-Bounds Write Vulnerability
Required Action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes	https://www.vmware.com/security/advisories/VMSA-2023-0023.html; https://nvd.nist.gov/vuln/detail/CVE-2023-34048

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Vmware	Vcenter Server	7.0	-	All	All
Application	Vmware	Vcenter Server	7.0	a	All	All
Application	Vmware	Vcenter Server	7.0	b	All	All
Application	Vmware	Vcenter Server	7.0	c	All	All
Application	Vmware	Vcenter Server	7.0	d	All	All
Application	Vmware	Vcenter Server	7.0	update1	All	All
Application	Vmware	Vcenter Server	7.0	update1a	All	All
Application	Vmware	Vcenter Server	7.0	update1c	All	All
Application	Vmware	Vcenter Server	7.0	update1d	All	All
Application	Vmware	Vcenter Server	7.0	update2	All	All
Application	Vmware	Vcenter Server	7.0	update2a	All	All
Application	Vmware	Vcenter Server	7.0	update2b	All	All
Application	Vmware	Vcenter Server	7.0	update2c	All	All
Application	Vmware	Vcenter Server	7.0	update2d	All	All
Application	Vmware	Vcenter Server	7.0	update3	All	All
Application	Vmware	Vcenter Server	7.0	update3a	All	All
Application	Vmware	Vcenter Server	7.0	update3c	All	All
Application	Vmware	Vcenter Server	7.0	update3d	All	All
Application	Vmware	Vcenter Server	7.0	update3e	All	All
Application	Vmware	Vcenter Server	7.0	update3f	All	All
Application	Vmware	Vcenter Server	7.0	update3g	All	All
Application	Vmware	Vcenter Server	7.0	update3h	All	All
Application	Vmware	Vcenter Server	7.0	update3i	All	All
Application	Vmware	Vcenter Server	7.0	update3j	All	All
Application	Vmware	Vcenter Server	7.0	update3k	All	All
Application	Vmware	Vcenter Server	7.0	update3l	All	All
Application	Vmware	Vcenter Server	7.0	update3m	All	All
Application	Vmware	Vcenter Server	7.0	update3n	All	All
Application	Vmware	Vcenter Server	8.0	-	All	All
Application	Vmware	Vcenter Server	8.0	a	All	All
Application	Vmware	Vcenter Server	8.0	b	All	All
Application	Vmware	Vcenter Server	8.0	c	All	All
Application	Vmware	Vcenter Server	8.0	update1	All	All
Application	Vmware	Vcenter Server	8.0	update1a	All	All
Application	Vmware	Vcenter Server	8.0	update1b	All	All
Application	Vmware	Vcenter Server	8.0	update1c	All	All
Application	Vmware	Vcenter Server	All	All	All	All

References

Reference	Source	Link	Tags
VMSA-2023-0023	MISC	www.vmware.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

216315 VMware vCenter Server 8.0 Update 8.0 U1d (VMSA-2023-0023)
216316 VMware vCenter Server 8.0 Update 8.0 U2 (VMSA-2023-0023)
216317 VMware vCenter Server 7.0 Update 7.0 U3o (VMSA-2023-0023)
216318 VMware vCenter Server 6.7 Update 6.7U3T (VMSA-2023-0023)
216319 VMware vCenter Server 6.5 Update 6.5U3V (VMSA-2023-0023)